Jan Soucek has discovered a new bug in the iOS mail app that could load remote HTML code replacing the original content of the message.
Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.
The bug could be used to create fake iCloud-like login forms that would capture passwords and more --right within the iOS Mail app. Soucek says he notified Apple of this bug back in January 2015, but the company never issued a fix -- so he published a proof of concept to put pressure on Apple to fix the bug.
While Soucek uses an iCloud-login form to demonstrate the bug, almost any website could be imitated, making it possible to steal credit cards, passwords, social security numbers, and more.
No word on which iOS versions are impacted by the bug, but please by wary of any pop login forms that appear with the iOS Mail App.
Read More
Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password "collector" using simple HTML and CSS.
The bug could be used to create fake iCloud-like login forms that would capture passwords and more --right within the iOS Mail app. Soucek says he notified Apple of this bug back in January 2015, but the company never issued a fix -- so he published a proof of concept to put pressure on Apple to fix the bug.
While Soucek uses an iCloud-login form to demonstrate the bug, almost any website could be imitated, making it possible to steal credit cards, passwords, social security numbers, and more.
No word on which iOS versions are impacted by the bug, but please by wary of any pop login forms that appear with the iOS Mail App.
Read More